P. 1
snort_manual

snort_manual

|Views: 37|Likes:
Published by Luis Riobueno

More info:

Published by: Luis Riobueno on Feb 19, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

11/15/2011

pdf

text

original

This keyword implements an ability for users to react to traffic that matches a Snort rule. The basic reaction
is blocking interesting sites users want to access: New York Times, slashdot, or something really important
- napster and porn sites. The React code allows Snort to actively close offending connections and send a
visible notice to the browser. The notice may include your own comment. The following arguments (basic
modifiers) are valid for this option:

124

• block - close connection and send the visible notice

The basic argument may be combined with the following arguments (additional modifiers):

• msg - include the msg option text into the blocking visible notice
• proxy <port nr> - use the proxy port to send the visible notice

Multiple additional arguments are separated by a comma. The react keyword should be placed as the last
one in the option list.

Format

react: block[, ];

alert tcp any any <> 192.168.1.0/24 80 (content: "bad.htm"; \
msg: "Not for children!"; react: block, msg, proxy 8000;)

Figure 3.25: React Usage Example

Warnings

React functionality is not built in by default. This code is currently bundled under Flexible Response, so
enabling Flexible Response (–enable-flexresp) will also enable React.

Be very careful when using react. Causing a network traffic generation loop is very easy to do with this
functionality.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->